Keeping Your OPC Data Safe from WannaCry

We’ve all heard about the damage caused by WannaCry. A friend of mine described the chaos that ensued and lasted for days at the large multi-national company where he works. What about your plant network? Are your systems at risk? That depends on how your data is being used.

More and more companies are recognizing the value hidden in their process data, and are looking at ways to tap into it. If you need to provide access to OPC data on your plant system, say for analytics, predictive maintenance, or real-time dashboards, you'll need to secure your system from the kind of threat that WannaCry poses. What many people don’t realize is that a VPN won't keep your system safe.

How WannaCry Gets In

WannaCry is actually two pieces of malware. First a “bomb” arrives by email and exploits your anti-virus software. The bomb unleashes a “worm” that propagates throughout your network, exploiting configuration weaknesses and operating system bugs. One of the worst aspects of WannaCry is that the email bomb can go off and infect a computer even if the email itself is never opened.

According to a code analysis of WannaCry by Zammis Clark at Malwarebytes Labs, “After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. … The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue.” (a newly-discovered bug)

How to Keep WannaCry Out

One way to eliminate the WannaCry threat is to stop using email altogether. More realistically, you should ensure that there are no email users connected to your process control system. You should keep email software off your industrial computers, and not allow email messages to pass through your firewall. But that’s not enough. You also need to make sure that you do not authorize any VPN connections to the network handling your OPC communications.

Given the way the virus attacks and spreads, using a VPN for a remote connection will not ensure security. Any machine on the VPN hit by the virus can spread it to every machine on the LAN. If your IT department is using a VPN to secure a connection from a computer in the corporate office to a plant control system, then every machine is exposed to a threat like WannaCry.

This inherent drawback of using a VPN is described in detail by Clemens Vasters, a Microsoft Developer. In a paper titled Internet of Things: Is VPN a False Friend? Vasters said, “VPN provides a virtualized and private (isolated) network space. The secure tunnels are a mechanism to achieve an appropriately protected path into that space, but the space per-se is not secured, at all. It is indeed a feature that the established VPN space is fully transparent to all protocol and traffic above the link layer.”

Connecting Securely Without VPN

So, if a VPN is not the solution for a secure remote connection, what is? How can you access data from your OPC servers without exposing your industrial network? One approach is explained in detail in a free white paper from Cogent: Access Your Data, Not Your Network. This paper explains why the traditional architecture of industrial systems is not suitable for secure IIoT or Industrie 4.0 applications, and it introduces the best approach for remote data access to industrial data over the Internet, without exposing the network or opening any firewall ports.

You see, industrial data communication protocols like OPC DA and OPC UA are based on a client-server model, in which the client opens a connection and requests data, and the server responds by sending that data. This works fine on a closed network, but if the client is outside the network at a remote location, then the request must go through an open firewall port. This exposes the plant network to attack from the Internet.

To keep all firewall ports closed, an outward connection must be made from the server to the client. However, no industrial protocol works this way, not even OPC. An alternative, secure-by-design approach is needed to make connections outside the plant security perimeter. This approach would provide an OPC client interface to the OPC server in the plant, and send the data over the Internet via TCP, secured with SSL. On the client side the data would be made available to the client through an OPC server interface. This technology should be able to transfer data bi-directionally through double proxies and DMZs. And of course, it should provide real-time performance, adding only maybe a few milliseconds to the latencies of the Internet.

This is how to mitigate the threat of the WannaCry virus or anything similar. Such an attack cannot spread into this system because it can’t “see” anything to infect. There are no email clients or software, and all firewall ports are closed. The machines and devices on the network are completely invisible. The OPC client gains access to the data only, not to the network. In this way it is possible to share the data in your system, without a VPN.